United Kingdom
- The UK General Regulatory Chamber’s Upper Tribunal (UT) has ruled in favour of the ICO which appealed against a 2023 case that held that it could not impose GDPR fines against Clearview AI.
- This case goes back to May 2022, when the ICO accused Clearview of using UK residents’ photographs from social media to train its AI algorithms. The First-tier Tribunal (FTT) held this use to be reasonably acceptable by the people; however, the UT found these data processing activities to be within the scope of the UK GDPR.
- Clearview sought to rely on Article 2(2)(a) of the UK GDPR stating that the processing is for a service offered to non-UK/EU law enforcement and national security agencies.
- The UT, however, held that even though Clearview’s processing was being carried out on behalf of its foreign law enforcement clients, it related to behaviour monitoring of UK residents, and was still bound by UK GDPR regulation.
- Gregg Wallace, the former Master Chef presenter, was fired from the show in July 2025 following an investigation by an independent law firm which found more than 40 allegations of gross misconduct against him.
- In March 2025, Gregg Wallace, claimed that he requested the BBC to provide him with his personal data related to his “work, contractual relations and conduct” throughout the 21 years of his employment.
- Soon after the request the BBC emailed him stating the complexity of his request and said that they will be “taking all reasonable steps to resolve the issue in a timely manner”.
- Given he still has not received a response from the BBC he is now seeking damages for “distress, harassment and loss of amenity not exceeding £10,000”, interest as well as a court order providing him access to his personal data.
United States
- Google asked its US based employees to share their health data with an AI tool provided by Nayya if they want to sign up for Alphabet’s (Google’s parent company) health benefits.
- Nayya’s AI tool allows for personalised guidance on the health benefits available which is permitted under the HIPA Act.
- The employees of Google are concerned about the lack of meaningful consent, whilst Nayya claims that it has gone through the standard security and privacy review of its tool.
- Google has now amended this mandate saying that employees can choose not to share their data without any impact on their benefits.
Europe
- The DSB issued a decision declaring Microsoft’s activities in tracking the data of school children as illegal. However, Microsoft pushed the responsibility to comply with the privacy laws onto the local schools.
- The DSB found that schools have little control over their contractual relationship with giants like Microsoft as it is more of a “take it or leave it” situation. The DSB also found Microsoft to be responsible for using tracking cookies without consent, and for failing to uphold the data subject’s right to access their personal data.
- Microsoft has now been ordered to delete all such personal data after providing the access to it to the relevant data subjects. Additionally, it will now be required to explain in clear terms what is meant by its business purposes such as “business modelling” or “energy efficiency” and if that involves sending personal data to LinkedIn, OpenAI or Xandr (a tracking company).
- Microsoft also presented an argument that its EU subsidiary in Ireland is responsible for its 365 operations across Europe, however this argument was rejected by the DSB, thereby holding Microsoft US responsible.
Ex-Meta lobbyist to co-lead Irish Data Protection Commission (DPC) from mid-October 2025
- Niamh Sweeney will be one of three chief regulators at Ireland’s DPC, igniting concerns that her experience would lead to the regulatory office being too close to BigTech.
- Sweeney worked in leadership roles across companies like Facebook, Whatsapp and Stripe since 2015 with her most recent role as a director of a lobby firm Milltown Partners.
- New information shows that a lawyer representing these tech giants was a member of the panel which chose Sweeney to be the chief regulator, leading to the filing of a conflict of interest complaint.
- Public Appointments Service, the authority that provides recruitment services for public jobs, said in a letter that it found no evidence of inappropriate assessment of the applicants by the panel. It said prior to their appointment in senior roles, the applicants, like Sweeney, have to complete a confidentiality agreement and conflict of interest form.
International
- The NDPC imposed fines on Meta in February 2025 over use of tracking cookies without consent, processing personal data of non-users, failure to submit mandatory compliance audits and unauthorised international transfer of personal data.
- Meta at the first instance contested the fine and procedures followed by the NDPC, however, later agreed to a settlement rather than pursuing legal action.
- As part of the settlement, the NDPC will now require Meta to update its privacy policies, conduct local data protection assessments, obtain consent before using tracking cookies and ensure transparency surrounding international data transfer.
- This follows NDPC wider regulatory trend of imposing multi-million dollar fines on other global tech giants for failure to meet the requirements laid down by their Data Protection Act.
